US20170099176A1 - Containerized architecture to manage internet-connected devices - Google Patents

Containerized architecture to manage internet-connected devices Download PDF

Info

Publication number
US20170099176A1
US20170099176A1 US15/270,948 US201615270948A US2017099176A1 US 20170099176 A1 US20170099176 A1 US 20170099176A1 US 201615270948 A US201615270948 A US 201615270948A US 2017099176 A1 US2017099176 A1 US 2017099176A1
Authority
US
United States
Prior art keywords
management
gateway
management server
iot
sensor
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Granted
Application number
US15/270,948
Other versions
US10374869B2 (en
Inventor
Sandeep Jain
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
Ivanti Inc
Original Assignee
MobileIron Inc
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Application filed by MobileIron Inc filed Critical MobileIron Inc
Priority to US15/270,948 priority Critical patent/US10374869B2/en
Assigned to MOBILE IRON, INC. reassignment MOBILE IRON, INC. ASSIGNMENT OF ASSIGNORS INTEREST (SEE DOCUMENT FOR DETAILS). Assignors: JAIN, SANDEEP
Publication of US20170099176A1 publication Critical patent/US20170099176A1/en
Application granted granted Critical
Publication of US10374869B2 publication Critical patent/US10374869B2/en
Assigned to BANK OF AMERICA, N.A., AS COLLATERAL AGENT reassignment BANK OF AMERICA, N.A., AS COLLATERAL AGENT SECURITY INTEREST (SEE DOCUMENT FOR DETAILS). Assignors: CellSec, Inc., INVANTI US LLC, INVANTI, INC., MobileIron, Inc., PULSE SECURE, LLC
Assigned to MORGAN STANLEY SENIOR FUNDING, INC., AS COLLATERAL AGENT reassignment MORGAN STANLEY SENIOR FUNDING, INC., AS COLLATERAL AGENT SECURITY INTEREST (SEE DOCUMENT FOR DETAILS). Assignors: CellSec, Inc., IVANTI US LLC, IVANTI, INC., MobileIron, Inc., PULSE SECURE, LLC
Assigned to IVANTI, INC. reassignment IVANTI, INC. ASSIGNMENT OF ASSIGNORS INTEREST (SEE DOCUMENT FOR DETAILS). Assignors: MobileIron, Inc.
Active legal-status Critical Current
Adjusted expiration legal-status Critical

Links

Images

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L41/00Arrangements for maintenance, administration or management of data switching networks, e.g. of packet switching networks
    • H04L41/04Network management architectures or arrangements
    • H04L41/046Network management architectures or arrangements comprising network management agents or mobile agents therefor
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L67/00Network arrangements or protocols for supporting network services or applications
    • H04L67/01Protocols
    • H04L67/12Protocols specially adapted for proprietary or special-purpose networking environments, e.g. medical networks, sensor networks, networks in vehicles or remote metering networks
    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L67/00Network arrangements or protocols for supporting network services or applications
    • H04L67/01Protocols
    • H04L67/42

Definitions

  • IoT Internet of Things
  • IoT Internet of Things
  • Emerging examples include sensors, security devices, household appliances, entertainment components, and personal electronics, but the Internet of Things could include any physical object.
  • IoT devices may be configured to sense the physical environment, may comprise edge devices that perform data acquisition from the physical environment, and/or may change the physical environment, among other activities. IoT devices may communicate over IP(v6) and/or other protocols.
  • FIG. 1 is a block diagram illustrating an embodiment of a system to provide containerized management of network connected devices.
  • FIG. 2 is a block diagram illustrating an embodiment of a system to provide containerized management of network connected devices.
  • FIG. 3 is a flow chart illustrating an embodiment of a process to provision and configure an IoT gateway.
  • FIG. 4 is a flow chart illustrating an embodiment of a process to provide security posture and/or policy-based access to backend services.
  • FIG. 5 is a flow chart illustrating an embodiment of a process to perform security posture and/or policy-based management and configuration of resources comprising or other associated with an IoT gateway.
  • FIG. 6 is a flow chart illustrating an embodiment of a process to perform policy, security, and/or context-based processing of data at an IoT gateway or other edge device.
  • FIG. 7 is a block diagram illustrating an embodiment of a system to provide containerized management of network connected devices.
  • FIG. 8 is a block diagram illustrating an embodiment of a system to provision and configure an IoT gateway and/or associated resources.
  • the invention can be implemented in numerous ways, including as a process; an apparatus; a system; a composition of matter; a computer program product embodied on a computer readable storage medium; and/or a processor, such as a processor configured to execute instructions stored on and/or provided by a memory coupled to the processor.
  • these implementations, or any other form that the invention may take, may be referred to as techniques.
  • the order of the steps of disclosed processes may be altered within the scope of the invention.
  • a component such as a processor or a memory described as being configured to perform a task may be implemented as a general component that is temporarily configured to perform the task at a given time or a specific component that is manufactured to perform the task.
  • the term ‘processor’ refers to one or more devices, circuits, and/or processing cores configured to process data, such as computer program instructions.
  • a containerized architecture to manage Internet-connected client devices such as IoT devices
  • containerization technology provides an isolated, resource controlled, and portable environment in which to run apps, applications, or other code.
  • sensors or other IoT devices may be managed and provided network connectivity via an IoT gateway. Sensors may be virtualized, be managed, including by controlling access to such sensors by IoT or other applications and services, and a secure identity may be provided to each sensor.
  • An “edge agent” or other software may be installed on an IoT gateway to provision, secure, and manage the gateway, associated sensors, and applications installed on the gateway.
  • the applications may comprise “smart” applications configured to use sensors associated with the gateway to invoke and use sensors, such as to gather data. Sensors may be invoked via specialized software, sometimes referred to herein as containerized “sensor drivers”, which may be configured to provide secure (controlled) access to sensor via a consistent API or other interface, regardless of the physical sensor.
  • a containerization architecture such as the Linux Containers (LXC) running on LinuxTM operating system, may be used to provide a resource controlled environment for isolation.
  • smart or other IoT apps, sensor drivers, and the edge agent may each run in a separate container on the IoT gateway.
  • the edge agent may run in a container have higher level privileges and may be configured and used, via a remote Enterprise Mobility Management (EMM) or other management server, to manage and control the installation of sensor drivers, apps, and other resources on the IoT gateway, and to configures such apps and other resources to implement policies set by an administrative user.
  • EMM remote Enterprise Mobility Management
  • the apps may be configured to access backend services, such as IoT services, enterprise app services, etc., only via a security proxy.
  • the security proxy may be configured to provide access according to configuration and/or state information, including gateway and/or other security or other posture information.
  • FIG. 1 is a block diagram illustrating an embodiment of a system to provide containerized management of network connected devices.
  • integrated device management system and environment 100 includes a management server 102 , e.g., an enterprise mobility management (EMM) or other server configured to manage IoT devices, applications, and services as disclosed herein.
  • management server 102 also performs mobile device management with respect to mobile devices 104 , which may include smartphones, tablets, laptops, or other mobile computing devices.
  • a uniform user interface may be used to control front-end devices by using EMM for IoT.
  • management server 102 may manage mobile devices 104 by performing one or more of facilitating or requiring device registration; configuring devices and/or applications or other resources installed thereon; installing, provisioning, and/or configuring a management agent (e.g., a management application or app) on the device; and receiving, determining, and/or processing security or other state information to determine a security posture of each device 104 .
  • Management server 102 may interact with security proxy 106 to provide managed access to backend services 108 .
  • backend servers on an enterprise network may provide enterprise services 108 .
  • Security proxy 106 may be configured to provide secure access to backend services 108 by users of devices 104 .
  • each device 104 access may be managed (e.g., provided without restriction, provided subject to restrictions, or blocked) by security proxy 106 based on state and/or context information, including by way of example and without limitation a security posture of the device 104 as indicated by management server 102 , a global security state or information, and context information such as time of day, current geographic location of the device 104 , etc.
  • state and/or context information including by way of example and without limitation a security posture of the device 104 as indicated by management server 102 , a global security state or information, and context information such as time of day, current geographic location of the device 104 , etc.
  • management server 102 and security proxy 106 in addition manage IoT devices associated with an IoT gateway 110 .
  • IoT gateway 110 serves as a gateway node for a plurality of associated sensors 112 .
  • Sensors 112 may include any physical sensing device, including without limitation environmental (e.g., temperature, wind) sensors; optical sensors, such as a camera or photodiode; audio sensors, such as a microphone; smell sensors; vibration or other motion detector; seals or other tamper detection devices; biometric input devices such as hand, retina, and fingerprint scanners; and manual input devices such as buttons, knobs, levers, keypads, etc.; or any other device capable to detecting a value or event taking place in a physical space in which the device is located and/or capable of being altered by or altering a physical environment in which the device is located.
  • management server 102 and security proxy 106 cooperate to provide managed access to IoT services 114 .
  • access to devices 112 may be managed at least in part by installing on IoT gateway 110 and configuring one or more apps configured to control one or more of sensors 112 ; consume data or other output or signal data generated by sensors; and/or interact via sensors 112 with a physical space in which sensors 112 may be located.
  • Security proxy 106 may be configured to terminate a secure connection, such as a tunnel connection, to the gateway 110 and/or one or more applications or other entities installed on gateway 110 .
  • Security proxy 110 may be configured to use secure connections to backend IoT services 114 to proxy connections and/or communications between apps on gateway 110 and backend IoT services 114 .
  • IoT services 114 may include, without limitation, services that consume and use data generated by sensors 112 to expose related (e.g., reporting, monitoring, analysis) services to client devices and/or systems associated with users of such services 114 .
  • temperature sensors 112 may be used to monitor the temperature in a plurality of physical locations, each associated with a corresponding IoT gateway 110 .
  • Apps on the respective gateways 110 may report data to a corresponding IoT service 114 via security proxy 106 .
  • the IoT service may analyze the data, aggregate and report the data, generate alerts based on the data, etc., and provide related information or other services to local or remote client devices and systems (not shown in FIG. 1 ).
  • access by apps running on IoT gateway 110 to backend IoT (or other) services 114 may be managed by security proxy 106 in the same way (or similar ways) as access by mobile devices 104 to enterprise services 108 .
  • access may be managed at least in part by enforcing one or more policies, including without limitation by taking into consideration sensor and/or gateway security or other state or posture information, threat detection from anomalous sensor data behavior, and context data such as time of day, day of the week, etc.
  • FIG. 2 is a block diagram illustrating an embodiment of a system to provide containerized management of network connected devices.
  • management server 202 and security proxy 206 cooperate to provide managed access to IoT services 214 by apps, sensors, and/or other resources comprising and/or otherwise associated with IoT gateway 210 .
  • IoT gateway 210 has installed thereon a management agent identified in FIG. 2 as edge agent 220 .
  • Edge agent 220 may be installed on IoT gateway 210 by/from an app store, which may be hosted on management server 202 in some embodiments, and configured by management server 202 to be used to manage other resources on and/or associated with gateway 210 as disclosed herein.
  • gateway 210 may comprise a lightweight computing device comprising one or more processors; memory devices; power modules and components such as batteries, power supplies, etc.; communication buses and connections; physical ports and traces or wires to connect such ports to other components; etc.
  • gateway 210 may be a Raspberry PiTM or similar lightweight, low cost computing device.
  • Edge agent 220 is configured in various embodiments to install, configure, and manage apps installed on gateway 210 , such as IoT smart apps 222 and sensor drivers 224 in the example shown.
  • Sensor drivers 224 each may comprise a specialized app that performs security, admin, and management functions beyond those performed by traditional driver software.
  • sensor drivers 224 are configured to provide access to a corresponding one or more of sensors 226 via a consistent, easy-to-use, well-published API or other interface.
  • Sensor drivers 224 may provide to apps 222 secure and/or managed access to sensors 226 and/or data provided by sensors 226 .
  • sensor drivers 224 may prevent apps 222 from altering a configuration or operation of sensors 226 .
  • edge agent 220 may configure sensor drivers 224 to configure, operate, and/or manage access to sensors 226 in a manner specified by a policy or other configuration data, such as administrative commands entered via an interface of management server 202 .
  • Sensor drivers 224 may serve as an input/output multiplexer for physical port (not shown in FIG. 2 ) of gateway 210 .
  • Sensor drivers 224 may allow administrative commands, policies, etc. to be used to control which business apps are allowed to communicate with which sensors.
  • sensor drivers such as sensor drivers 224 may be downloaded from an authorized (e.g., enterprise-managed) app store, and may be updated and/or managed in the same manner as other apps.
  • Edge agent 220 , smart apps 222 , and sensor drivers 224 each may comprise a containerized application running in a container provided on gateway 210 using a containerization platform, architecture, and/or technology, such as Linux Containers (linuxcontainers.org).
  • Edge agent 220 may comprise a privileged containerized application.
  • edge agent 220 may run in a container that includes capabilities required to manage apps 222 and/or sensor drivers 224 , as disclosed herein.
  • each containerized application (e.g., edge agent 220 , apps 222 , and drivers 224 ) runs on top of an operating system 228 , such as the LinuxTM operating system.
  • managed apps 222 may be configured to provide to IoT services 214 , via security proxy 206 , data comprising and/or derived from output of sensors 226 .
  • data may be aggregated, filtered, selectively reported, compressed, encrypted, and/or otherwise pre-processed by one or more of apps 222 , resulting in less data and/or value added data being communicated to IoT services 214 , resulting in consumption of less network communication and backend storage and processing resources than may have been required or consumed absent such pre-processing.
  • sensor drivers 224 may be configured to detect tampering, failure, or other state or context data affecting sensors 226 .
  • sensor drivers 224 may be configured to report such information to management server 202 , which may in response update a security posture and/or other state and/or context data associated with the affected sensor, the gateway 210 , and/or applicable ones of apps 222 installed thereon.
  • apps 222 may be prevented from sending to IoT services 214 data obtained from a potentially compromised sensor 226 , either by changing the behavior of the app 222 (for example, by using edge agent 220 to change the app's configuration data) or by blocking or stripping such data at security proxy 206 , e.g., in response to security posture information received from management server 202 .
  • FIG. 3 is a flow chart illustrating an embodiment of a process to provision and configure an IoT gateway.
  • the process of FIG. 3 may be implemented by a management server, such as management server 102 of FIG. 1 or management server 202 of FIG. 2 , to provide an IoT gateway device, such as gateway 110 of FIG. 1 or gateway 210 of FIG. 2 .
  • an IoT gateway is pre-registered ( 302 ).
  • an administrative user may use a web-based or other interface of a management server, such as management servers 102 and 202 , to create a record of the gateway; assign to the gateway a corresponding identity, such as a certificate; associate the gateway with one or more groups, designations, and/or configuration/management policies; etc.
  • the pre-registered gateway is deployed, e.g., to an associate physical location, and connected to the management server, e.g., via a wireless, wired, or other network connection available at the physical location to which the gateway has been deployed ( 304 ).
  • physical custody and control of the gateway may be maintained very careful, to ensure the gateway is not tampered with en route to being deployed at a destination physical location.
  • the management server is used to install an edge agent on the gateway ( 306 ).
  • an edge agent for example, a native management agent of the gateway, if present, may be used to install and configure the edge agent.
  • an administrative user account and/or credential may be used to install the edge agent.
  • the edge agent may be configured automatically, e.g., to enforce one or more policies associated with the gateway at the management server.
  • the gateway is provisioned ( 308 ).
  • an image or other encapsulation of an IoT gateway as disclosed herein may be downloaded and installed on a hardware device comprising the gateway.
  • An operating system may be installed, configured, and/or brought under management.
  • the IoT gateway disclosed herein may itself be a containerized application, such as a Linux container, within which a other containerization environment is run that includes containerized apps such as smart IoT apps and/or sensor drivers.
  • provisioning the gateway may include one or more of providing an identify, such as via a certificate, providing policy and/or configuration data to be enforced locally, connecting the gateway to an associated security proxy, etc.
  • containerized apps such as IoT smart apps, and sensor drivers
  • IoT smart apps may be installed and configured on an IoT gateway as disclosed herein.
  • the management server and edge agent may cooperate to install one or more smart apps and/or one or more sensor driver apps on the gateway, and to configure such apps according to applicable policies.
  • the smart apps and/or sensor drivers each may comprise a containerized app that is downloaded to the gateway in the form of a containerization-friendly binary image or similar encapsulation, obtained from an associated universally accessible resource such as an image registry, such as one installed on and/or otherwise associated with the management server.
  • FIG. 4 is a flow chart illustrating an embodiment of a process to provide security posture and/or policy-based access to backend services.
  • the process of FIG. 4 may be implemented by a security proxy, such as proxy 106 of FIG. 1 or proxy 206 of FIG. 2 .
  • IoT gateway (and/or associated) posture information is received ( 402 ).
  • a security proxy may receive posture information from a management server.
  • the management server may notify the security proxy 106 of the updated posture of the gateway. If the gateway is/remains fully compliant ( 404 ), the security proxy (or other node) allows/continues to allow access to associated backend IoT services ( 406 ). If the gateway is not fully compliant ( 404 ), a policy-based responsive action is taken ( 408 ). In various embodiments, the responsive action may be indicated by a policy or other configuration data.
  • a change in gateway security posture e.g., too much time since last check in, unauthorized app installed, unauthorized change to an app or its configuration, tampering with gateway, a sensor, apps, and/or drivers detected, etc.
  • the nature and/or scope of the response may be determined programmatically based on the specific applicable security posture information. For example, a change to a state indicating that a particular sensor may have been tampered with may result in the security proxy or other node blocking data from that sensor only. Installation of an unauthorized and potentially malicious app on the gateway, by contrast, may result in all communications from that gateway being blocked and/or quarantined.
  • FIG. 5 is a flow chart illustrating an embodiment of a process to perform security posture and/or policy-based management and configuration of resources comprising or other associated with an IoT gateway.
  • the process of FIG. 5 may be performed by a management server to provide a response to be implemented at a gateway based on security or other posture, configuration, and/or context information.
  • the process of FIG. 5 may be implemented at an IoT gateway, such as by an edge agent installed on an IoT gateway, to provide a local response to security posture and/or other information.
  • security posture, configuration, and/or context information are monitored ( 502 ).
  • an edge agent may monitor the configuration of IoT smart apps, sensor drivers, sensors, and/or other resources comprising and/or otherwise associated with a gateway to detect configuration changes, tampering with physical sensors, connectors, or ports, etc.
  • an edge agent may report posture, configuration, and context data, e.g., to a management server.
  • posture, configuration, and/or context data may be provided by external sources, such as an administrator, or a third party system, such as an intrusion detection system or other security system.
  • a managed IoT smart app may be configured to provide data in a different manner, to use an alternate sensor and/or sensor app, to suspend operation, to send data to a different destination, etc.
  • FIG. 6 is a flow chart illustrating an embodiment of a process to perform policy, security, and/or context-based processing of data at an IoT gateway or other edge device.
  • the process of FIG. 6 may be performed by an IoT smart app.
  • sensor and/or other data is gathered and evaluated locally at the gateway ( 602 ).
  • an IoT smart app may perform analysis, such as comparing sensor output values to a threshold, performing statistical analysis, etc. If a threshold or other trigger event is detected ( 604 ), applicable sensor and/or derived or otherwise related data may be aggregated, filtered, packaged, and/or compressed and then send to an associated backend service, e.g., via a security proxy. Processing continues until done ( 608 ), e.g. the IoT smart app stops running, there is no further sensor data to process, etc.
  • FIG. 7 is a block diagram illustrating an embodiment of a system to provide containerized management of network connected devices.
  • a given set of sensors are used by associated apps and sensor drivers to provide an illustrative example of an IoT service provided using techniques disclosed herein.
  • Management server 702 and security proxy 706 cooperate, as disclosed herein, to provide managed access to a remote image service 714 .
  • Client systems and/or devices 716 may access the service 714 to see, for example, images taken by a camera or other sensor installed at a remote physical location.
  • IoT gateway 710 having operating system 712 running thereon may be installed at or near the monitored location.
  • An edge agent (management app) 720 installed and running on gateway 710 manages a remote imaging app 722 , sensor driver 724 , and camera (sensor) driver 726 , each of which may comprise a containerized application running on gateway 710 .
  • Sensor driver 724 functions as an I/O multiplexer for a serial I/O port 728 to which sensors 730 and 732 are connected.
  • sensor 730 may be a push button while sensor 732 may be a motion and/or light detector.
  • Camera driver 726 configures and manages access to a camera 736 connected to gateway 710 via a general purpose I/O 734 .
  • Remote image app 722 accesses sensors 730 and 732 via sensor driver 724 , and camera 736 via camera driver 726 .
  • Sensor driver 724 and/or camera driver 726 may be configured to allow access only selectively and/or subject to constraints specified in their own app configuration data.
  • sensor driver 724 may be configured to provide to remote image app 722 access only to output data (e.g., click events) associated with push button 730 .
  • remote image app 722 may be configured to subscribe, via sensor driver 724 , to click events generated by sensor driver 724 in response to receiving an indication via serial I/O 728 that the push button 730 has been pushed. In response to each occurrence of such a click event, remote image app 722 may be configured to request and obtain via camera driver 726 a burst comprising a prescribed number of images generated using camera 736 . The prescribed number may be indicated, for example, in app configuration data for one or both of the camera driver 726 and the remote imaging app 722 . Remote imaging app 722 may be configured to perform filtering, analysis, and/or other pre-processing of received image data.
  • remote imaging app 722 may be configured to detect the presence (or not) of a face in an image, and to send to remote imaging service 714 only those images that contain a face. Or, remote imaging app 722 may be configured to judge image quality and send only a selected representative image of a certain quality. In yet another example, remote imaging app 722 may be configured to degrade image quality and/or otherwise reduce an associated data size prior to communicating an image to the remote imaging service 714 .
  • management and security techniques disclosed herein may be applied to the example service shown in FIG. 7 .
  • management server 702 may send updated posture information to security proxy 706 , prompting security proxy 706 to block access by remote image app 722 to remote image service 714 .
  • an administrator may indicate via an administrative interface a desired change in app behavior, such as to change the number of images included in each burst.
  • management server 702 may use edge agent 720 to change the configuration of one or both of remote image app 722 and camera driver 726 to implement the change.
  • camera 736 may be replaced with a different physical device.
  • a replacement driver for camera driver 726 may be downloaded, installed, and configured.
  • the replacement driver may be configured to implement a physical or other interface to the new camera, while continue to expose a consistent interface to remote image app 722 , which in this example would not be required to be updated and/or reconfigured.
  • FIG. 8 is a block diagram illustrating an embodiment of a system to provision and configure an IoT gateway and/or associated resources.
  • a management server 802 and security proxy 806 cooperate to provide managed access to IoT services 814 by IoT smart applications running on IoT gateway 810 having operating system 812 running thereon.
  • management is performed at least in part via an edge agent 820 installed on gateway 810 .
  • Edge agent 820 configures and otherwise manages containerized applications running on gateway 810 , such as image app 822 , button (sensor) driver 824 associated with button sensor 830 , and camera (sensor) driver 826 associated with camera 836 , in this example, through communications sent via a secure connection bus.
  • an IoT application store paradigm, platform, and interface 816 is provided to enable IoT smart apps, sensor drivers, and other resources to be installed on a managed IoT gateway, such as gateway 810 .
  • IoT application store interface 816 displays in dashed, outline, shadow, or other less prominently visible form icons representing containerized applications that have already been installed on gateway 810 . Additional applications (temp driver, alarm app) that have not (yet) been installed on gateway 810 are displayed using solid lines.
  • an IoT app store may be implemented as a software distribution registry or similar repository.
  • Each application icon displayed via the app store interface such as interface 816 in the example shown, may be associated with a corresponding downloadable software image or similar encapsulation of data required to build and run a container. Selection of an application that has not been installed may result in the corresponding image being pulled to the associated IoT gateway, which may then use the image or other data to install and run a corresponding instance of an associated containerized application.
  • apps and sensor drivers shown in and described above in connection with FIGS. 7 and 8 are illustrative examples of apps and sensor drivers that may be used in the application agnostic architecture and approach disclosed herein. Limitless other apps, sensors drivers, and associated services may be conceived and implemented using techniques disclosed herein.
  • applications made available via an IoT app store as disclosed herein may comprise a subset of applications included in a master inventory of applications.
  • the applications in the inventory may be filtered based on information associated with the gateway, such as a role or other data associated with an enterprise or other user with which the gateway is associated; a location or other attribute associated with the gateway; security or other posture information; group or other designation with which the gateway is associated; sensors detected to be connected to the gateway; etc.
  • apps, sensor drivers, and/or other IoT gateway apps and tools may be developed by application developers.
  • a software development kit (SDK), application programming interface (API), open source code repository, and/or other tools and resources may be provided to facilitate the development and/or improvement of IoT gateway apps and drivers.
  • SDK software development kit
  • API application programming interface
  • open source code repository open source code repository
  • other tools and resources may be provided to facilitate the development and/or improvement of IoT gateway apps and drivers.
  • a developer associated with an enterprise, or a third party developer may create a new or adapted sensor driver to enable a new type, make, or model of sensor to be used by one or more other IoT gateway apps and/or associated services.
  • Apps, sensor drivers, and other code developed by third parties may be submitted for review and approval, and may be made available to be downloaded from an IoT gateway app store upon a determination being made that the app, sensor driver, etc. functions as intended and contains no malicious or otherwise risky or vulnerable code.
  • secure, managed access to backend services may be provided to applications and other resources comprising or otherwise associated with IoT devices.
  • a smart device such as a smart appliance
  • a separate hardware such as a Raspberry PiTM or other device, may not be required.

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Health & Medical Sciences (AREA)
  • Computing Systems (AREA)
  • General Health & Medical Sciences (AREA)
  • Medical Informatics (AREA)
  • Computer And Data Communications (AREA)
  • Information Transfer Between Computers (AREA)
  • Telephonic Communication Services (AREA)

Abstract

A containerized architecture to secure and manage Internet-connected devices, such as “Internet of Things” devices, is disclosed. In various embodiments, one or more containerized applications are run, e.g., on an Internet of Things gateway, subject to management by the management server. At least one of the containerized applications is a management agent configured to participate, subject to control of the management server, in management of one or more other of said containerized applications.

Description

    CROSS REFERENCE TO OTHER APPLICATIONS
  • This application claims priority to U.S. Provisional Patent Application No. 62/222,029 entitled CONTAINERIZED ARCHITECTURE TO MANAGE INTERNET-CONNECTED DEVICES filed Sep. 22, 2015 which is incorporated herein by reference for all purposes.
    • BACKGROUND OF THE INVENTION
  • It is anticipated that the “Internet of Things” (“IoT”) revolution will encompass innumerable, specialized, non-software innovations, including without limitation in sensor technologies, power consumption, and data transmission and receipt.
  • As used herein, the term “Internet of Things” or “IoT” refers to physical objects having embedded hardware and/or software and network connectivity, e.g., via the Internet, to other such objects and/or other nodes, services, systems, etc. Emerging examples include sensors, security devices, household appliances, entertainment components, and personal electronics, but the Internet of Things could include any physical object.
  • IoT devices may be configured to sense the physical environment, may comprise edge devices that perform data acquisition from the physical environment, and/or may change the physical environment, among other activities. IoT devices may communicate over IP(v6) and/or other protocols.
    • BRIEF DESCRIPTION OF THE DRAWINGS
  • Various embodiments of the invention are disclosed in the following detailed description and the accompanying drawings.
  • FIG. 1 is a block diagram illustrating an embodiment of a system to provide containerized management of network connected devices.
  • FIG. 2 is a block diagram illustrating an embodiment of a system to provide containerized management of network connected devices.
  • FIG. 3 is a flow chart illustrating an embodiment of a process to provision and configure an IoT gateway.
  • FIG. 4 is a flow chart illustrating an embodiment of a process to provide security posture and/or policy-based access to backend services.
  • FIG. 5 is a flow chart illustrating an embodiment of a process to perform security posture and/or policy-based management and configuration of resources comprising or other associated with an IoT gateway.
  • FIG. 6 is a flow chart illustrating an embodiment of a process to perform policy, security, and/or context-based processing of data at an IoT gateway or other edge device.
  • FIG. 7 is a block diagram illustrating an embodiment of a system to provide containerized management of network connected devices.
  • FIG. 8 is a block diagram illustrating an embodiment of a system to provision and configure an IoT gateway and/or associated resources.
    •  DETAILED DESCRIPTION
  • The invention can be implemented in numerous ways, including as a process; an apparatus; a system; a composition of matter; a computer program product embodied on a computer readable storage medium; and/or a processor, such as a processor configured to execute instructions stored on and/or provided by a memory coupled to the processor. In this specification, these implementations, or any other form that the invention may take, may be referred to as techniques. In general, the order of the steps of disclosed processes may be altered within the scope of the invention. Unless stated otherwise, a component such as a processor or a memory described as being configured to perform a task may be implemented as a general component that is temporarily configured to perform the task at a given time or a specific component that is manufactured to perform the task. As used herein, the term ‘processor’ refers to one or more devices, circuits, and/or processing cores configured to process data, such as computer program instructions.
  • A detailed description of one or more embodiments of the invention is provided below along with accompanying figures that illustrate the principles of the invention. The invention is described in connection with such embodiments, but the invention is not limited to any embodiment. The scope of the invention is limited only by the claims and the invention encompasses numerous alternatives, modifications and equivalents. Numerous specific details are set forth in the following description in order to provide a thorough understanding of the invention. These details are provided for the purpose of example and the invention may be practiced according to the claims without some or all of these specific details. For the purpose of clarity, technical material that is known in the technical fields related to the invention has not been described in detail so that the invention is not unnecessarily obscured.
  • A containerized architecture to manage Internet-connected client devices, such as IoT devices, is disclosed. In various embodiments, containerization technology provides an isolated, resource controlled, and portable environment in which to run apps, applications, or other code. In various embodiments, sensors or other IoT devices may be managed and provided network connectivity via an IoT gateway. Sensors may be virtualized, be managed, including by controlling access to such sensors by IoT or other applications and services, and a secure identity may be provided to each sensor. An “edge agent” or other software may be installed on an IoT gateway to provision, secure, and manage the gateway, associated sensors, and applications installed on the gateway. The applications may comprise “smart” applications configured to use sensors associated with the gateway to invoke and use sensors, such as to gather data. Sensors may be invoked via specialized software, sometimes referred to herein as containerized “sensor drivers”, which may be configured to provide secure (controlled) access to sensor via a consistent API or other interface, regardless of the physical sensor.
  • A containerization architecture, such as the Linux Containers (LXC) running on Linux™ operating system, may be used to provide a resource controlled environment for isolation. For examples, smart or other IoT apps, sensor drivers, and the edge agent may each run in a separate container on the IoT gateway. The edge agent may run in a container have higher level privileges and may be configured and used, via a remote Enterprise Mobility Management (EMM) or other management server, to manage and control the installation of sensor drivers, apps, and other resources on the IoT gateway, and to configures such apps and other resources to implement policies set by an administrative user.
  • In various embodiments, the apps may be configured to access backend services, such as IoT services, enterprise app services, etc., only via a security proxy. The security proxy may be configured to provide access according to configuration and/or state information, including gateway and/or other security or other posture information.
  • FIG. 1 is a block diagram illustrating an embodiment of a system to provide containerized management of network connected devices. In the example shown, integrated device management system and environment 100 includes a management server 102, e.g., an enterprise mobility management (EMM) or other server configured to manage IoT devices, applications, and services as disclosed herein. In the example shown, management server 102 also performs mobile device management with respect to mobile devices 104, which may include smartphones, tablets, laptops, or other mobile computing devices. A uniform user interface may be used to control front-end devices by using EMM for IoT.
  • In various embodiments, management server 102 may manage mobile devices 104 by performing one or more of facilitating or requiring device registration; configuring devices and/or applications or other resources installed thereon; installing, provisioning, and/or configuring a management agent (e.g., a management application or app) on the device; and receiving, determining, and/or processing security or other state information to determine a security posture of each device 104. Management server 102 may interact with security proxy 106 to provide managed access to backend services 108. For example, backend servers on an enterprise network may provide enterprise services 108. Security proxy 106 may be configured to provide secure access to backend services 108 by users of devices 104. In various embodiments, for each device 104 access may be managed (e.g., provided without restriction, provided subject to restrictions, or blocked) by security proxy 106 based on state and/or context information, including by way of example and without limitation a security posture of the device 104 as indicated by management server 102, a global security state or information, and context information such as time of day, current geographic location of the device 104, etc.
  • In the example shown, management server 102 and security proxy 106 in addition manage IoT devices associated with an IoT gateway 110. In the example shown, IoT gateway 110 serves as a gateway node for a plurality of associated sensors 112. Sensors 112 may include any physical sensing device, including without limitation environmental (e.g., temperature, wind) sensors; optical sensors, such as a camera or photodiode; audio sensors, such as a microphone; smell sensors; vibration or other motion detector; seals or other tamper detection devices; biometric input devices such as hand, retina, and fingerprint scanners; and manual input devices such as buttons, knobs, levers, keypads, etc.; or any other device capable to detecting a value or event taking place in a physical space in which the device is located and/or capable of being altered by or altering a physical environment in which the device is located.
  • In the example shown, management server 102 and security proxy 106 cooperate to provide managed access to IoT services 114. For example, access to devices 112 may be managed at least in part by installing on IoT gateway 110 and configuring one or more apps configured to control one or more of sensors 112; consume data or other output or signal data generated by sensors; and/or interact via sensors 112 with a physical space in which sensors 112 may be located. Security proxy 106 may be configured to terminate a secure connection, such as a tunnel connection, to the gateway 110 and/or one or more applications or other entities installed on gateway 110. Security proxy 110 may be configured to use secure connections to backend IoT services 114 to proxy connections and/or communications between apps on gateway 110 and backend IoT services 114.
  • Examples of IoT services 114 may include, without limitation, services that consume and use data generated by sensors 112 to expose related (e.g., reporting, monitoring, analysis) services to client devices and/or systems associated with users of such services 114. For example, temperature sensors 112 may be used to monitor the temperature in a plurality of physical locations, each associated with a corresponding IoT gateway 110. Apps on the respective gateways 110 may report data to a corresponding IoT service 114 via security proxy 106. The IoT service may analyze the data, aggregate and report the data, generate alerts based on the data, etc., and provide related information or other services to local or remote client devices and systems (not shown in FIG. 1).
  • In various embodiments, access by apps running on IoT gateway 110 to backend IoT (or other) services 114 may be managed by security proxy 106 in the same way (or similar ways) as access by mobile devices 104 to enterprise services 108. For example, in some embodiments, access may be managed at least in part by enforcing one or more policies, including without limitation by taking into consideration sensor and/or gateway security or other state or posture information, threat detection from anomalous sensor data behavior, and context data such as time of day, day of the week, etc.
  • FIG. 2 is a block diagram illustrating an embodiment of a system to provide containerized management of network connected devices. In the example shown, management server 202 and security proxy 206 cooperate to provide managed access to IoT services 214 by apps, sensors, and/or other resources comprising and/or otherwise associated with IoT gateway 210. IoT gateway 210 has installed thereon a management agent identified in FIG. 2 as edge agent 220. Edge agent 220 may be installed on IoT gateway 210 by/from an app store, which may be hosted on management server 202 in some embodiments, and configured by management server 202 to be used to manage other resources on and/or associated with gateway 210 as disclosed herein. In various embodiments, gateway 210 may comprise a lightweight computing device comprising one or more processors; memory devices; power modules and components such as batteries, power supplies, etc.; communication buses and connections; physical ports and traces or wires to connect such ports to other components; etc. In some embodiments, gateway 210 may be a Raspberry Pi™ or similar lightweight, low cost computing device.
  • Edge agent 220 is configured in various embodiments to install, configure, and manage apps installed on gateway 210, such as IoT smart apps 222 and sensor drivers 224 in the example shown. Sensor drivers 224 each may comprise a specialized app that performs security, admin, and management functions beyond those performed by traditional driver software. In various embodiments, sensor drivers 224 are configured to provide access to a corresponding one or more of sensors 226 via a consistent, easy-to-use, well-published API or other interface. Sensor drivers 224 may provide to apps 222 secure and/or managed access to sensors 226 and/or data provided by sensors 226. In various embodiments, sensor drivers 224 may prevent apps 222 from altering a configuration or operation of sensors 226. For example, edge agent 220 may configure sensor drivers 224 to configure, operate, and/or manage access to sensors 226 in a manner specified by a policy or other configuration data, such as administrative commands entered via an interface of management server 202. Sensor drivers 224 may serve as an input/output multiplexer for physical port (not shown in FIG. 2) of gateway 210. Sensor drivers 224 may allow administrative commands, policies, etc. to be used to control which business apps are allowed to communicate with which sensors. In some embodiments, sensor drivers such as sensor drivers 224 may be downloaded from an authorized (e.g., enterprise-managed) app store, and may be updated and/or managed in the same manner as other apps.
  • Edge agent 220, smart apps 222, and sensor drivers 224 each may comprise a containerized application running in a container provided on gateway 210 using a containerization platform, architecture, and/or technology, such as Linux Containers (linuxcontainers.org). Edge agent 220 may comprise a privileged containerized application. For example, edge agent 220 may run in a container that includes capabilities required to manage apps 222 and/or sensor drivers 224, as disclosed herein. In various embodiments, each containerized application (e.g., edge agent 220, apps 222, and drivers 224) runs on top of an operating system 228, such as the Linux™ operating system.
  • In various embodiments, managed apps 222 may be configured to provide to IoT services 214, via security proxy 206, data comprising and/or derived from output of sensors 226. In various embodiments, data may be aggregated, filtered, selectively reported, compressed, encrypted, and/or otherwise pre-processed by one or more of apps 222, resulting in less data and/or value added data being communicated to IoT services 214, resulting in consumption of less network communication and backend storage and processing resources than may have been required or consumed absent such pre-processing.
  • In another example of gateway-side processing, sensor drivers 224 may be configured to detect tampering, failure, or other state or context data affecting sensors 226. In various embodiments, sensor drivers 224 may be configured to report such information to management server 202, which may in response update a security posture and/or other state and/or context data associated with the affected sensor, the gateway 210, and/or applicable ones of apps 222 installed thereon. For example, apps 222 may be prevented from sending to IoT services 214 data obtained from a potentially compromised sensor 226, either by changing the behavior of the app 222 (for example, by using edge agent 220 to change the app's configuration data) or by blocking or stripping such data at security proxy 206, e.g., in response to security posture information received from management server 202.
  • FIG. 3 is a flow chart illustrating an embodiment of a process to provision and configure an IoT gateway. In various embodiments, the process of FIG. 3 may be implemented by a management server, such as management server 102 of FIG. 1 or management server 202 of FIG. 2, to provide an IoT gateway device, such as gateway 110 of FIG. 1 or gateway 210 of FIG. 2. In the example shown, an IoT gateway is pre-registered (302). For example, an administrative user may use a web-based or other interface of a management server, such as management servers 102 and 202, to create a record of the gateway; assign to the gateway a corresponding identity, such as a certificate; associate the gateway with one or more groups, designations, and/or configuration/management policies; etc. The pre-registered gateway is deployed, e.g., to an associate physical location, and connected to the management server, e.g., via a wireless, wired, or other network connection available at the physical location to which the gateway has been deployed (304). In some embodiments, physical custody and control of the gateway may be maintained very careful, to ensure the gateway is not tampered with en route to being deployed at a destination physical location. The management server is used to install an edge agent on the gateway (306). For example, a native management agent of the gateway, if present, may be used to install and configure the edge agent. In some embodiments, an administrative user account and/or credential may be used to install the edge agent. The edge agent may be configured automatically, e.g., to enforce one or more policies associated with the gateway at the management server.
  • The gateway is provisioned (308). For example, an image or other encapsulation of an IoT gateway as disclosed herein may be downloaded and installed on a hardware device comprising the gateway. An operating system may be installed, configured, and/or brought under management. In some embodiments, the IoT gateway disclosed herein may itself be a containerized application, such as a Linux container, within which a other containerization environment is run that includes containerized apps such as smart IoT apps and/or sensor drivers. In some embodiments, provisioning the gateway may include one or more of providing an identify, such as via a certificate, providing policy and/or configuration data to be enforced locally, connecting the gateway to an associated security proxy, etc.
  • In various embodiments, containerized apps, such as IoT smart apps, and sensor drivers, may be installed and configured on an IoT gateway as disclosed herein. For example, the management server and edge agent may cooperate to install one or more smart apps and/or one or more sensor driver apps on the gateway, and to configure such apps according to applicable policies. In some embodiments, the smart apps and/or sensor drivers each may comprise a containerized app that is downloaded to the gateway in the form of a containerization-friendly binary image or similar encapsulation, obtained from an associated universally accessible resource such as an image registry, such as one installed on and/or otherwise associated with the management server.
  • FIG. 4 is a flow chart illustrating an embodiment of a process to provide security posture and/or policy-based access to backend services. In various embodiments, the process of FIG. 4 may be implemented by a security proxy, such as proxy 106 of FIG. 1 or proxy 206 of FIG. 2. In the example shown, IoT gateway (and/or associated) posture information is received (402). In some embodiments, a security proxy may receive posture information from a management server. For example, if the management server detects a change in gateway security posture—e.g., too much time since last check in, unauthorized app installed, unauthorized change to an app or its configuration, tampering with gateway, a sensor, apps, and/or drivers detected, etc.—the management server may notify the security proxy 106 of the updated posture of the gateway. If the gateway is/remains fully compliant (404), the security proxy (or other node) allows/continues to allow access to associated backend IoT services (406). If the gateway is not fully compliant (404), a policy-based responsive action is taken (408). In various embodiments, the responsive action may be indicated by a policy or other configuration data. The nature and/or scope of the response may be determined programmatically based on the specific applicable security posture information. For example, a change to a state indicating that a particular sensor may have been tampered with may result in the security proxy or other node blocking data from that sensor only. Installation of an unauthorized and potentially malicious app on the gateway, by contrast, may result in all communications from that gateway being blocked and/or quarantined.
  • FIG. 5 is a flow chart illustrating an embodiment of a process to perform security posture and/or policy-based management and configuration of resources comprising or other associated with an IoT gateway. In some embodiments, the process of FIG. 5 may be performed by a management server to provide a response to be implemented at a gateway based on security or other posture, configuration, and/or context information. In some embodiments, the process of FIG. 5 may be implemented at an IoT gateway, such as by an edge agent installed on an IoT gateway, to provide a local response to security posture and/or other information.
  • In the example shown, security posture, configuration, and/or context information are monitored (502). For example, an edge agent may monitor the configuration of IoT smart apps, sensor drivers, sensors, and/or other resources comprising and/or otherwise associated with a gateway to detect configuration changes, tampering with physical sensors, connectors, or ports, etc. In some embodiments, an edge agent may report posture, configuration, and context data, e.g., to a management server. In some embodiments, posture, configuration, and/or context data may be provided by external sources, such as an administrator, or a third party system, such as an intrusion detection system or other security system.
  • If received security posture, configuration, and/or context data indicates that a change in app and/or driver (or other) configuration data at a gateway is to be made (504), the indicated change is made via the edge agent (506). For example, a managed IoT smart app may be configured to provide data in a different manner, to use an alternate sensor and/or sensor app, to suspend operation, to send data to a different destination, etc.
  • Monitoring (502) and taking responsive actions as/if required (504, 506) continue until the process is done (508), e.g., the gateway is taken out of service for maintenance.
  • FIG. 6 is a flow chart illustrating an embodiment of a process to perform policy, security, and/or context-based processing of data at an IoT gateway or other edge device. In various embodiments, the process of FIG. 6 may be performed by an IoT smart app. In the example shown, sensor and/or other data is gathered and evaluated locally at the gateway (602). For example, an IoT smart app may perform analysis, such as comparing sensor output values to a threshold, performing statistical analysis, etc. If a threshold or other trigger event is detected (604), applicable sensor and/or derived or otherwise related data may be aggregated, filtered, packaged, and/or compressed and then send to an associated backend service, e.g., via a security proxy. Processing continues until done (608), e.g. the IoT smart app stops running, there is no further sensor data to process, etc.
  • FIG. 7 is a block diagram illustrating an embodiment of a system to provide containerized management of network connected devices. In the example shown, a given set of sensors are used by associated apps and sensor drivers to provide an illustrative example of an IoT service provided using techniques disclosed herein. Management server 702 and security proxy 706 cooperate, as disclosed herein, to provide managed access to a remote image service 714. Client systems and/or devices 716 may access the service 714 to see, for example, images taken by a camera or other sensor installed at a remote physical location. IoT gateway 710 having operating system 712 running thereon may be installed at or near the monitored location. An edge agent (management app) 720 installed and running on gateway 710 manages a remote imaging app 722, sensor driver 724, and camera (sensor) driver 726, each of which may comprise a containerized application running on gateway 710. Sensor driver 724 functions as an I/O multiplexer for a serial I/O port 728 to which sensors 730 and 732 are connected. For example, sensor 730 may be a push button while sensor 732 may be a motion and/or light detector. Camera driver 726 configures and manages access to a camera 736 connected to gateway 710 via a general purpose I/O 734.
  • Remote image app 722 accesses sensors 730 and 732 via sensor driver 724, and camera 736 via camera driver 726. Sensor driver 724 and/or camera driver 726 may be configured to allow access only selectively and/or subject to constraints specified in their own app configuration data. For example, sensor driver 724 may be configured to provide to remote image app 722 access only to output data (e.g., click events) associated with push button 730.
  • By way of example, remote image app 722 may be configured to subscribe, via sensor driver 724, to click events generated by sensor driver 724 in response to receiving an indication via serial I/O 728 that the push button 730 has been pushed. In response to each occurrence of such a click event, remote image app 722 may be configured to request and obtain via camera driver 726 a burst comprising a prescribed number of images generated using camera 736. The prescribed number may be indicated, for example, in app configuration data for one or both of the camera driver 726 and the remote imaging app 722. Remote imaging app 722 may be configured to perform filtering, analysis, and/or other pre-processing of received image data. For example, remote imaging app 722 may be configured to detect the presence (or not) of a face in an image, and to send to remote imaging service 714 only those images that contain a face. Or, remote imaging app 722 may be configured to judge image quality and send only a selected representative image of a certain quality. In yet another example, remote imaging app 722 may be configured to degrade image quality and/or otherwise reduce an associated data size prior to communicating an image to the remote imaging service 714.
  • In various embodiments, management and security techniques disclosed herein may be applied to the example service shown in FIG. 7. For example, upon detecting a change in the security posture of gateway 710, management server 702 may send updated posture information to security proxy 706, prompting security proxy 706 to block access by remote image app 722 to remote image service 714. In another example, an administrator may indicate via an administrative interface a desired change in app behavior, such as to change the number of images included in each burst. In response, management server 702 may use edge agent 720 to change the configuration of one or both of remote image app 722 and camera driver 726 to implement the change. In yet another example, camera 736 may be replaced with a different physical device. In response, a replacement driver for camera driver 726 may be downloaded, installed, and configured. The replacement driver may be configured to implement a physical or other interface to the new camera, while continue to expose a consistent interface to remote image app 722, which in this example would not be required to be updated and/or reconfigured.
  • FIG. 8 is a block diagram illustrating an embodiment of a system to provision and configure an IoT gateway and/or associated resources. In the example shown, a management server 802 and security proxy 806 cooperate to provide managed access to IoT services 814 by IoT smart applications running on IoT gateway 810 having operating system 812 running thereon. As in previous examples, management is performed at least in part via an edge agent 820 installed on gateway 810. Edge agent 820 configures and otherwise manages containerized applications running on gateway 810, such as image app 822, button (sensor) driver 824 associated with button sensor 830, and camera (sensor) driver 826 associated with camera 836, in this example, through communications sent via a secure connection bus.
  • In the example shown in FIG. 8, an IoT application store paradigm, platform, and interface 816 is provided to enable IoT smart apps, sensor drivers, and other resources to be installed on a managed IoT gateway, such as gateway 810. In this example, IoT application store interface 816 displays in dashed, outline, shadow, or other less prominently visible form icons representing containerized applications that have already been installed on gateway 810. Additional applications (temp driver, alarm app) that have not (yet) been installed on gateway 810 are displayed using solid lines.
  • In various embodiments, an IoT app store may be implemented as a software distribution registry or similar repository. Each application icon displayed via the app store interface, such as interface 816 in the example shown, may be associated with a corresponding downloadable software image or similar encapsulation of data required to build and run a container. Selection of an application that has not been installed may result in the corresponding image being pulled to the associated IoT gateway, which may then use the image or other data to install and run a corresponding instance of an associated containerized application.
  • The particular apps and sensor drivers shown in and described above in connection with FIGS. 7 and 8 are illustrative examples of apps and sensor drivers that may be used in the application agnostic architecture and approach disclosed herein. Limitless other apps, sensors drivers, and associated services may be conceived and implemented using techniques disclosed herein.
  • In various embodiments, applications made available via an IoT app store as disclosed herein may comprise a subset of applications included in a master inventory of applications. For example, the applications in the inventory may be filtered based on information associated with the gateway, such as a role or other data associated with an enterprise or other user with which the gateway is associated; a location or other attribute associated with the gateway; security or other posture information; group or other designation with which the gateway is associated; sensors detected to be connected to the gateway; etc.
  • In various embodiments, apps, sensor drivers, and/or other IoT gateway apps and tools may be developed by application developers. In some embodiments, a software development kit (SDK), application programming interface (API), open source code repository, and/or other tools and resources may be provided to facilitate the development and/or improvement of IoT gateway apps and drivers. For example, a developer associated with an enterprise, or a third party developer, may create a new or adapted sensor driver to enable a new type, make, or model of sensor to be used by one or more other IoT gateway apps and/or associated services. Apps, sensor drivers, and other code developed by third parties may be submitted for review and approval, and may be made available to be downloaded from an IoT gateway app store upon a determination being made that the app, sensor driver, etc. functions as intended and contains no malicious or otherwise risky or vulnerable code.
  • Using techniques disclosed herein, secure, managed access to backend services may be provided to applications and other resources comprising or otherwise associated with IoT devices.
  • While in a number of examples described herein external sensors connected to a gateway via a physical connection port are described, techniques disclosed herein may be applied as well to manage access to, configuration of, and use of internal sensors of the gateway device. In various embodiments, a smart device, such as a smart appliance, may be configured to serve as an IoT gateway as disclosed herein. In such implementations, a separate hardware, such as a Raspberry Pi™ or other device, may not be required.
  • Although the foregoing embodiments have been described in some detail for purposes of clarity of understanding, the invention is not limited to the details provided. There are many alternative ways of implementing the invention. The disclosed embodiments are illustrative and not restrictive.

Claims (20)

What is claimed is:
1. A system, comprising:
a communication interface; and
a processor coupled to the communication interface and configured to:
communicate via the communication interface with a management server; and
run one or more containerized applications subject to management by the management server, at least one of said containerized applications comprising a management agent configured to participate, subject to control of the management server, in management of one or more other of said containerized applications.
2. The system of claim 1, wherein one or more of said containerized applications other than said management agent each comprises a sensor driver application configured by one or both of said management server and said management agent to provide managed access to a sensor comprising or otherwise associated with the system.
3. The system of claim 2, wherein the sensor driver application functions as an input/output (I/O) multiplexer for a physical interface via which said sensor is connected.
4. The system of claim 2, wherein one or more other of said containerized applications other than the management agent each comprises an Internet-of-Things (IoT) smart application configured to receive and use sensor data generated by said sensor, subject to management by one or both of said management server and said management agent.
5. The system of claim 4, wherein each of said IoT smart applications is configured to communicate via a security proxy with one or more associated backend services.
6. The system of claim 5, wherein said security proxy is configured to enforce one or more policies associated with said communications by said smart application.
7. The system of claim 6, wherein said security proxy is configured to take a responsive action with respect to communications by said smart application based at least in part on a security posture data received from said management server.
8. The system of claim 7, wherein said management server is configured to determine said security posture data based at least in part on data received from the system.
9. The system of claim 1, wherein the system comprises an Internet of Things (IoT) gateway, and further comprising installing said one or more containerized applications on the gateway.
10. The system of claim 9, wherein an IoT gateway app store interface and server are used to install said one or more containerized applications.
11. The system of claim 10, wherein said one or more containerized applications are included in a set of containerized applications presented via said IoT gateway app store interface as being available to be installed on said gateway.
12. The system of claim 11, wherein said set of containerized applications are selected to be presented via said IoT gateway app store interface as being available to be installed on said gateway based at least in part on one or both of a policy and a user or other group with which the gateway is determined to be associated.
13. A method, comprising:
communicating via a communication interface with a management server; and
running one or more containerized applications subject to management by the management server, at least one of said containerized applications comprising a management agent configured to participate, subject to control of the management server, in management of one or more other of said containerized applications.
14. The method of claim 13, wherein one or more of said containerized applications other than said management agent each comprises a sensor driver application configured by one or both of said management server and said management agent to provide managed access to a sensor comprising or otherwise associated with the system.
15. The method of claim 14, wherein one or more other of said containerized applications other than the management agent each comprises an Internet-of-Things (IoT) smart application configured to receive and use sensor data generated by said sensor, subject to management by one or both of said management server and said management agent.
16. The method of claim 15, wherein each of said IoT smart applications is configured to communicate via a security proxy with one or more associated backend services.
17. The method of claim 16, wherein said security proxy is configured to enforce one or more policies associated with said communications by said smart application.
18. The method of claim 17, wherein said security proxy is configured to take a responsive action with respect to communications by said smart application based at least in part on a security posture data received from said management server.
19. A computer program product embodied in a non-transitory computer readable medium and comprising computer instructions for:
communicating via a communication interface with a management server; and
running one or more containerized applications subject to management by the management server, at least one of said containerized applications comprising a management agent configured to participate, subject to control of the management server, in management of one or more other of said containerized applications.
20. The computer program product of claim 19, wherein one or more of said containerized applications other than said management agent each comprises a sensor driver application configured by one or both of said management server and said management agent to provide managed access to a sensor comprising or otherwise associated with the system.
US15/270,948 2015-09-22 2016-09-20 Containerized architecture to manage internet-connected devices Active 2037-03-14 US10374869B2 (en)

Priority Applications (1)

Application Number Priority Date Filing Date Title
US15/270,948 US10374869B2 (en) 2015-09-22 2016-09-20 Containerized architecture to manage internet-connected devices

Applications Claiming Priority (2)

Application Number Priority Date Filing Date Title
US201562222029P 2015-09-22 2015-09-22
US15/270,948 US10374869B2 (en) 2015-09-22 2016-09-20 Containerized architecture to manage internet-connected devices

Publications (2)

Publication Number Publication Date
US20170099176A1 true US20170099176A1 (en) 2017-04-06
US10374869B2 US10374869B2 (en) 2019-08-06

Family

ID=58387113

Family Applications (1)

Application Number Title Priority Date Filing Date
US15/270,948 Active 2037-03-14 US10374869B2 (en) 2015-09-22 2016-09-20 Containerized architecture to manage internet-connected devices

Country Status (2)

Country Link
US (1) US10374869B2 (en)
WO (1) WO2017053319A1 (en)

Cited By (25)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20170134500A1 (en) * 2015-11-09 2017-05-11 Admobilize Llc. System and method for creating operating systems to network physical objects or things
US10103964B2 (en) * 2016-06-17 2018-10-16 At&T Intellectual Property I, L.P. Managing large volumes of event data records
TWI646434B (en) * 2017-04-24 2019-01-01 宏碁股份有限公司 Cloud management system and device configuration method thereof
US10320613B1 (en) * 2015-08-11 2019-06-11 Cisco Technology, Inc. Configuring contextually aware IoT policies
US10333733B2 (en) * 2017-03-20 2019-06-25 Vmware, Inc. Controlling proxy devices through a managed gateway
US10374869B2 (en) * 2015-09-22 2019-08-06 Mobile Iron, Inc. Containerized architecture to manage internet-connected devices
US10469600B2 (en) * 2017-11-14 2019-11-05 Dell Products, L.P. Local Proxy for service discovery
US10681544B2 (en) 2018-03-12 2020-06-09 Cypress Semiconductor Corporation Devices, systems and methods for connecting and authenticating local devices to common gateway device
US20200213395A1 (en) * 2018-12-31 2020-07-02 Itron, Inc. Application Management Service
CN111917588A (en) * 2020-08-10 2020-11-10 南方电网数字电网研究院有限公司 Edge device management method, device, edge gateway device and storage medium
US10848495B2 (en) 2018-02-18 2020-11-24 Cisco Technology, Inc. Internet of things security system
US10893116B1 (en) 2019-07-03 2021-01-12 Nutanix, Inc. Apparatuses and methods for edge computing application deployment in an IoT system
JP2021005270A (en) * 2019-06-27 2021-01-14 IoT−EX株式会社 Iot connection system, information processing method, and computer program
US20210029156A1 (en) * 2018-08-10 2021-01-28 Amazon Technologies, Inc. Security monitoring system for internet of things (iot) device environments
US10999269B2 (en) * 2015-12-04 2021-05-04 Samsara Networks Inc. Authentication of a gateway device in a sensor network
US11140144B2 (en) * 2017-01-19 2021-10-05 Saison Information Systems Co., Ltd. IoT data collection system, IoT data collection method, management device, management program, agent device, and agent program
US20220046094A1 (en) * 2018-09-14 2022-02-10 Spectrum Brands, Inc. System and method of establishing server connections to internet of things devices, including electronic locks
US11277495B2 (en) * 2018-12-10 2022-03-15 Electronics And Telecommunications Research Institute System and method for providing microservice-based device control interface
US11381575B2 (en) 2019-05-03 2022-07-05 Microsoft Technology Licensing, Llc Controlling access to resources of edge devices
WO2022215086A1 (en) * 2021-04-07 2022-10-13 Karmarkar Sameer Madhusudan System and method for containerization of internet of things devices
US11501881B2 (en) 2019-07-03 2022-11-15 Nutanix, Inc. Apparatus and method for deploying a mobile device as a data source in an IoT system
US11635990B2 (en) 2019-07-01 2023-04-25 Nutanix, Inc. Scalable centralized manager including examples of data pipeline deployment to an edge system
US11665221B2 (en) 2020-11-13 2023-05-30 Nutanix, Inc. Common services model for multi-cloud platform
US11726764B2 (en) 2020-11-11 2023-08-15 Nutanix, Inc. Upgrade systems for service domains
US11736585B2 (en) 2021-02-26 2023-08-22 Nutanix, Inc. Generic proxy endpoints using protocol tunnels including life cycle management and examples for distributed cloud native services and applications

Families Citing this family (7)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US10873567B2 (en) * 2017-06-26 2020-12-22 Open Text Corporation Systems and methods for providing communications between on-premises servers and remote devices
FR3073302A1 (en) * 2017-11-08 2019-05-10 STMicroelectronics (Grand Ouest) SAS METHOD AND DEVICE FOR MONITORING AT LEAST ONE ACTIVITY OF A CONNECTED OBJECT
GB2568871B (en) * 2017-11-23 2021-09-22 Advanced Risc Mach Ltd Devices and methods for control of internet of things (IoT) devices
GB2568873B (en) * 2017-11-23 2021-09-22 Advanced Risc Mach Ltd Distributed management system for internet of things devices and methods thereof
US11388195B1 (en) * 2019-02-02 2022-07-12 Clearops, Inc. Information security compliance platform
US10848567B1 (en) * 2019-11-29 2020-11-24 Cygnus, LLC Remote support for IoT devices
US20220172825A1 (en) * 2020-11-28 2022-06-02 GE Precision Healthcare LLC Medical scanner application platform

Citations (7)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20150113627A1 (en) * 2013-10-17 2015-04-23 Arm Ip Limited Method for assigning an agent device from a first device registry to a second device registry
US20150172215A1 (en) * 2013-12-18 2015-06-18 ContinnumBridge Limited Apparatus for Network Bridging
US20150347114A1 (en) * 2014-05-28 2015-12-03 Samsung Electronics Co., Ltd. Apparatus and method for controlling internet of things devices
US20160094421A1 (en) * 2014-09-25 2016-03-31 Oracle International Corporation Platform for capturing, processing, storaging, and presentation of generic sensor data from remote arbitrary locations
US20160142906A1 (en) * 2014-11-17 2016-05-19 Samsung Electronics Co., Ltd. Apparatus and method for profile installation in communication system
US20160147506A1 (en) * 2014-11-21 2016-05-26 Kiban Labs, Inc. Internet of things platforms, apparatuses, and methods
US20170005456A1 (en) * 2014-07-08 2017-01-05 Grigori Broudno High Efficiency Spark Plug

Family Cites Families (6)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
WO2007022432A2 (en) * 2005-08-18 2007-02-22 Emc Corporation Compliance processing of rights managed data
US8104077B1 (en) * 2006-01-03 2012-01-24 Symantec Corporation System and method for adaptive end-point compliance
KR101932821B1 (en) 2013-07-24 2018-12-27 콘비다 와이어리스, 엘엘씨 Service domain charging systems and methods
US9742840B2 (en) * 2013-12-20 2017-08-22 Siemens Aktiengesellschaft Integration of user interfaces for different physically distributed medical applications
US9729330B2 (en) * 2015-08-21 2017-08-08 Samsung Electronics Co., Ltd. Secure pairing of eHealth devices and authentication of data using a gateway device having secured area
US10374869B2 (en) * 2015-09-22 2019-08-06 Mobile Iron, Inc. Containerized architecture to manage internet-connected devices

Patent Citations (7)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US20150113627A1 (en) * 2013-10-17 2015-04-23 Arm Ip Limited Method for assigning an agent device from a first device registry to a second device registry
US20150172215A1 (en) * 2013-12-18 2015-06-18 ContinnumBridge Limited Apparatus for Network Bridging
US20150347114A1 (en) * 2014-05-28 2015-12-03 Samsung Electronics Co., Ltd. Apparatus and method for controlling internet of things devices
US20170005456A1 (en) * 2014-07-08 2017-01-05 Grigori Broudno High Efficiency Spark Plug
US20160094421A1 (en) * 2014-09-25 2016-03-31 Oracle International Corporation Platform for capturing, processing, storaging, and presentation of generic sensor data from remote arbitrary locations
US20160142906A1 (en) * 2014-11-17 2016-05-19 Samsung Electronics Co., Ltd. Apparatus and method for profile installation in communication system
US20160147506A1 (en) * 2014-11-21 2016-05-26 Kiban Labs, Inc. Internet of things platforms, apparatuses, and methods

Cited By (32)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US10320613B1 (en) * 2015-08-11 2019-06-11 Cisco Technology, Inc. Configuring contextually aware IoT policies
US10374869B2 (en) * 2015-09-22 2019-08-06 Mobile Iron, Inc. Containerized architecture to manage internet-connected devices
US20170134500A1 (en) * 2015-11-09 2017-05-11 Admobilize Llc. System and method for creating operating systems to network physical objects or things
US10999269B2 (en) * 2015-12-04 2021-05-04 Samsara Networks Inc. Authentication of a gateway device in a sensor network
US10516595B2 (en) 2016-06-17 2019-12-24 At&T Intellectual Property I, L.P. Managing large volumes of event data records
US10103964B2 (en) * 2016-06-17 2018-10-16 At&T Intellectual Property I, L.P. Managing large volumes of event data records
US11140144B2 (en) * 2017-01-19 2021-10-05 Saison Information Systems Co., Ltd. IoT data collection system, IoT data collection method, management device, management program, agent device, and agent program
US20190288869A1 (en) * 2017-03-20 2019-09-19 Vmware, Inc. Controlling proxy devices through a managed gateway
US10333733B2 (en) * 2017-03-20 2019-06-25 Vmware, Inc. Controlling proxy devices through a managed gateway
US11038710B2 (en) * 2017-03-20 2021-06-15 Vmware, Inc. Controlling proxy devices through a managed gateway
TWI646434B (en) * 2017-04-24 2019-01-01 宏碁股份有限公司 Cloud management system and device configuration method thereof
US10469600B2 (en) * 2017-11-14 2019-11-05 Dell Products, L.P. Local Proxy for service discovery
US11658977B2 (en) 2018-02-18 2023-05-23 Cisco Technology, Inc. Internet of Things security system
US10848495B2 (en) 2018-02-18 2020-11-24 Cisco Technology, Inc. Internet of things security system
US10681544B2 (en) 2018-03-12 2020-06-09 Cypress Semiconductor Corporation Devices, systems and methods for connecting and authenticating local devices to common gateway device
US11153754B2 (en) 2018-03-12 2021-10-19 Cypress Semiconductor Corporation Devices, systems and methods for connecting and authenticating local devices to common gateway device
US20210029156A1 (en) * 2018-08-10 2021-01-28 Amazon Technologies, Inc. Security monitoring system for internet of things (iot) device environments
US11671499B2 (en) * 2018-09-14 2023-06-06 Spectrum Brands, Inc. System and method of establishing server connections to internet of things devices, including electronic locks
US20220046094A1 (en) * 2018-09-14 2022-02-10 Spectrum Brands, Inc. System and method of establishing server connections to internet of things devices, including electronic locks
US11277495B2 (en) * 2018-12-10 2022-03-15 Electronics And Telecommunications Research Institute System and method for providing microservice-based device control interface
US10834197B2 (en) * 2018-12-31 2020-11-10 Itron, Inc. Application management service
US20200213395A1 (en) * 2018-12-31 2020-07-02 Itron, Inc. Application Management Service
US11381575B2 (en) 2019-05-03 2022-07-05 Microsoft Technology Licensing, Llc Controlling access to resources of edge devices
JP2021005270A (en) * 2019-06-27 2021-01-14 IoT−EX株式会社 Iot connection system, information processing method, and computer program
US11635990B2 (en) 2019-07-01 2023-04-25 Nutanix, Inc. Scalable centralized manager including examples of data pipeline deployment to an edge system
US11501881B2 (en) 2019-07-03 2022-11-15 Nutanix, Inc. Apparatus and method for deploying a mobile device as a data source in an IoT system
US10893116B1 (en) 2019-07-03 2021-01-12 Nutanix, Inc. Apparatuses and methods for edge computing application deployment in an IoT system
CN111917588A (en) * 2020-08-10 2020-11-10 南方电网数字电网研究院有限公司 Edge device management method, device, edge gateway device and storage medium
US11726764B2 (en) 2020-11-11 2023-08-15 Nutanix, Inc. Upgrade systems for service domains
US11665221B2 (en) 2020-11-13 2023-05-30 Nutanix, Inc. Common services model for multi-cloud platform
US11736585B2 (en) 2021-02-26 2023-08-22 Nutanix, Inc. Generic proxy endpoints using protocol tunnels including life cycle management and examples for distributed cloud native services and applications
WO2022215086A1 (en) * 2021-04-07 2022-10-13 Karmarkar Sameer Madhusudan System and method for containerization of internet of things devices

Also Published As

Publication number Publication date
US10374869B2 (en) 2019-08-06
WO2017053319A1 (en) 2017-03-30

Similar Documents

Publication Publication Date Title
US10374869B2 (en) Containerized architecture to manage internet-connected devices
KR102146034B1 (en) User Interface For Security Protection And Remote Management Of Network Endpoints
CN107251514B (en) Techniques for scalable security architecture for virtualized networks
US10148693B2 (en) Exploit detection system
US9092616B2 (en) Systems and methods for threat identification and remediation
US9015793B2 (en) Hardware management interface
US10097572B1 (en) Security for network computing environment based on power consumption of network devices
US11596008B2 (en) System, method and computer program product for secure Bluetooth cryptography in a virtual mobile device platform
US9380562B1 (en) System, method and computer program product for providing notifications from a virtual device to a disconnected physical device
US9667703B1 (en) System, method and computer program product for generating remote views in a virtual mobile device platform
EP3884405B1 (en) Secure count in cloud computing networks
US11909845B2 (en) Methods and systems for managing applications of a multi-access edge computing environment
US20140181844A1 (en) Hardware management interface
CN110463155A (en) Enhance the integrality specific to the information of data center
Deng et al. Towards trustworthy health platform cloud
US11689365B2 (en) Centralized volume encryption key management for edge devices with trusted platform modules
US11228491B1 (en) System and method for distributed cluster configuration monitoring and management
US20170187643A1 (en) Virtual Cloud Security Managed By Reverse Avatars
Pühringer Cloud computing for home automation
US20230261867A1 (en) Centralized volume encryption key management for edge devices with trusted platform modules
US11611580B1 (en) Malware infection detection service for IoT devices
US20230016069A1 (en) Device data-at-rest security using extended volume encryption data
WO2024065816A1 (en) High fidelity attestation-based artificial intelligence inference system
Bharti et al. Attribute–Based Access Control for AWS Internet of Things-A
Zhou et al. Logic bugs in IoT platforms and systems: A review

Legal Events

Date Code Title Description
AS Assignment

Owner name: MOBILE IRON, INC., CALIFORNIA

Free format text: ASSIGNMENT OF ASSIGNORS INTEREST;ASSIGNOR:JAIN, SANDEEP;REEL/FRAME:040761/0428

Effective date: 20161209

STPP Information on status: patent application and granting procedure in general

Free format text: DOCKETED NEW CASE - READY FOR EXAMINATION

STPP Information on status: patent application and granting procedure in general

Free format text: NOTICE OF ALLOWANCE MAILED -- APPLICATION RECEIVED IN OFFICE OF PUBLICATIONS

STPP Information on status: patent application and granting procedure in general

Free format text: PUBLICATIONS -- ISSUE FEE PAYMENT RECEIVED

STPP Information on status: patent application and granting procedure in general

Free format text: PUBLICATIONS -- ISSUE FEE PAYMENT VERIFIED

STCF Information on status: patent grant

Free format text: PATENTED CASE

AS Assignment

Owner name: MORGAN STANLEY SENIOR FUNDING, INC., AS COLLATERAL AGENT, MARYLAND

Free format text: SECURITY INTEREST;ASSIGNORS:CELLSEC, INC.;PULSE SECURE, LLC;IVANTI, INC.;AND OTHERS;REEL/FRAME:054665/0062

Effective date: 20201201

Owner name: BANK OF AMERICA, N.A., AS COLLATERAL AGENT, ILLINOIS

Free format text: SECURITY INTEREST;ASSIGNORS:CELLSEC, INC.;PULSE SECURE, LLC;INVANTI, INC.;AND OTHERS;REEL/FRAME:054665/0873

Effective date: 20201201

AS Assignment

Owner name: IVANTI, INC., UTAH

Free format text: ASSIGNMENT OF ASSIGNORS INTEREST;ASSIGNOR:MOBILEIRON, INC.;REEL/FRAME:061327/0751

Effective date: 20220801

MAFP Maintenance fee payment

Free format text: PAYMENT OF MAINTENANCE FEE, 4TH YEAR, LARGE ENTITY (ORIGINAL EVENT CODE: M1551); ENTITY STATUS OF PATENT OWNER: LARGE ENTITY

Year of fee payment: 4